Making Sense of Consent Under the GDPR

Posted by Elizabeth Schweyen on March 7, 2018

With the General Data Protection Regulation (GDPR) quickly approaching, we’ve had many customers asking questions about the different legal bases for processing data. Of the six legal bases (consent; contract; legal obligation; vital interests; public tasks; and legitimate interests), perhaps those causing the most confusion and uncertainty are consent and legitimate interests. Carmel covers legitimate interest in her blog, so in this blog, I will cover the topic of consent. As a previous blog in our series eluded to, a key change in the upcoming GDPR enforcement is how companies are able to gain consent from their data subjects. Previously, implicit or opt-out consent was allowed in certain circumstances. As an example, under previous laws, it was acceptable for email marketers to pre-check their opt-in boxes when signing users up to receive their emails:

That all changes after May 25, 2018. For most companies, this will drastically change how they’re able to opt users into their services.

GDPR sets a new standard for consent. Under the GDPR, “consent” means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11)). While the concepts themselves are not new, the enforcement and potential consequence of non-compliance are unknown territory.

I’m sure many of you are asking yourselves if your current consent practices comply. I’ve provided the following questions to see how they stack up:

Is your current consent unambiguous? Does it require a statement or clear affirmative action in order to opt someone in? Inaction, pre-checked boxes, or opt-out language is in violation. An example is included below:

Is current consent freely given? Does the data subject have a genuine choice to provide their data? Will they be negatively impacted if they withhold consent?

If the data subject has no genuine or free choice or is unable to refuse or withdraw consent easily and without detriment, (Article 7(3)), you are in violation.

If the conditions of a contract (including the provision of a service) are conditional on consenting to the processing of personal data that is not necessary for the performance of that contract, (Article 7(4)), you are in violation.

Is the current consent specific? Does it include all purposes/reasons for the data processing which will occur? Below is considered sufficient for email collection:

Is the current consent informed? Does the language make the data subject aware of their right to withdraw? Does it make it clear who the data controller is and the purposes of collecting the data?

A great example is included below of a company doing a great job informing their users of their ability to access or withdraw data:

Are you keeping accurate records of consent? This includes who, when, how, and what you’ve told data subjects.

If you’ve answered no to any of these questions, you’re not alone. Return Path works with many businesses that still have updates to make in order to be fully compliant with GDPR come May 25, 2018. To help your teams prepare, I’ve detailed how Return Path is updating our consent practices to ensure our GDPR Compliance:

Updating our Privacy Policy: Return Path has always maintained a very transparent Privacy Policy. However, to better comply with GDPR, we’re moving to a single Privacy Policy across all products in the organization. This allows users to more easily access all policy related information in one spot vs. multiple privacy policies. The Privacy Policy will more clearly inform users how their data will be processed and shared. It will also outline exactly how data subjects can exercise their right to access or remove data.

Updating consumer application disclosures: Although the previous disclosure language within Return Path consumer applications (Shopami, Whisker Widget, Organizer, Unsubscriber) disclosed that we share data with third parties, we will be updating the disclosure to be more transparent about how that data is used to ensure data subjects are making an informed choice. We will also be including an unchecked checkbox in close proximity to the sign-up/download of the product.

Updating Certification Program standards: We realize that the new GDPR practices impose a higher duty of consent than our current certification standards. We’re reviewing the standards at this time to determine a consent standard which will be better aligned with GDPR. We will be releasing more details around these updates very soon.

While this may feel like a large undertaking, updating your consent practices will help customers to understand and feel more at ease with how your business is processing and utilizing their data. In the long run, this will create a more positive experience for them and improve their relationship with your business. Check out our blog post on how consumers benefit from the GDPR to understand this further!

Popular this Month



Return Path Data and Best Practices: Thinking Outside The Box

One of my clients is known for being an excellent sender, having impeccable...

About Elizabeth Schweyen

Elizabeth Schweyen is the Privacy Specialist at Return Path. She's involved in helping Return Path prepare for the GDPR and ensuring we stay ahead of industry standards when it comes to Privacy. Elizabeth's previous role on the Return Path Compliance team makes her a stickler for the rules, putting her in an excellent position to help lead the company into GDPR compliance! Outside of work you can find Elizabeth exploring the Rocky Mountains, catching up with friends, or watching Michigan football (Go Blue!).